back to article Web host breach may have exposed passwords for 6,000 clients

Layered Technologies has been targeted by malicious hackers who may have stolen passwords and other personal details on as many as 6,000 of its clients, the Texas-based web host provider warned. It is advising customers to change login credentials for all host details submitted in the past two years. The Monday evening breach …

COMMENTS

This topic is closed for new posts.

Annoying but not a real problem... unless you're dumb

So they say the attack had the potential to expose names, addresses, phone numbers, email addresses and server login details.

The first four points are of course true. The fifth (server login details) is true as well, but only because people are dumb enough to give their server provider their root password (to fix a problem, etc.) and then NOT CHANGE IT AFTER.

I lease a server from LT and although I've certainly changed my support portal password, I'm not losing any sleep over the security of my server itself. Any server password I ever gave to their techs was changed the moment after they were done with it. They have no business retaining any valid logins for my server after that point.

I have trouble feeling sorry for anyone who doesn't follow this basic security procedure.

0
0
Anonymous Coward

/me puts his hand up

Got the email from LT this morning. All passwords changed.

Their support system has this habit of asking for the root pass of your server as a required field for most requests which I make a habit of mashing the keyboard on anyway.

As for the payment details option not being leaked... as I recently discovered you cant even update your own payment details online with them at all. They have a nice shiny new system called Encompass which is suppose to 'Encompass' the whole aspect of your account... except the ability to update your payment details.

From a support ticket recently...

"If you wish to change the CC that you want to use please either call us or send a CC change reqeust to accounts [at] layeredtech.com. You will need to provide font and back copies of your ID and the new CC that you want to use."

In a way thats pretty secure (assuming the monkey processing your request at LT is legit anyway) but a absolute goddamn pain the ass.

0
0

@ the previous poster

Hah, yeah, you can't update your credit card through their system, but at least they let you do it online somehow (not that e-mail/phone is overly secure but..)

At my *other* host, they make me fax them a signed form for changes. Fax! Who has a fax machine? Have to go to Kinko's just to update my billing details....

0
0

LT hack

I'm another LT customer. The incident in question doesn't exactly bother me, as the first poster said I changed my login details the second the box was delivered.

I was more worried about the photo ID scans and CC details they collect when you open an account. What a gold mine that would be for an unscrupulous hacker!

What surprises me more is the fact that they completely omitted any information regarding CCs/IDs in the advisory they sent out - surely they'd realise most customers would be concerned about this.

Although they've assured us that they don't keep CC numbers in the affected system, as it's just their helpdesk system, I'm also aware of the fact that when you order a new server it raises a helpdesk ticket to their provisioning team -- therefore, surely CC details WERE in those systems, regardless of if you raised a support ticket including them?

0
0
Anonymous Coward

cerberus helpdesk

I have to tell you this is not a terrible record of vulnerabilities yes it's more than you want but when I saw that I said only 11 and most kind of crappy to have to exploit and fairly easy to fix security can really be a hard task master.

0
0

I'm a developer on Cerberus Helpdesk!

Hey there, I'm the lead developer on Cerberus Helpdesk and ALSO a LT customer (we're mutual customers).

Our project has been around since January 2002, and there are a lot of people out there (18,900 companies at last count) running various older versions of the helpdesk. Our source code is 100% open (even on our free versions), which is a generally a great strength. But it also lets the creatively unscrupulous look for the tiniest cracks. I admire what Secunia is doing -- total transparency is important, and our customers have the power (through the source) to react as fast as we do to a new alert. There are a lot of talented people in our community who do just that.

Many of those things sneak in through the clutter of a long-running project that didn't start out intending to be so widely used. Over the past 9 months we've actually rewritten the project from scratch, using what we've learned over the years about maintainability on a wide-scale project.

While it's incredibly tragic when things like this happen, I promise it makes us even more vigilant in sensitivity of the work we're doing for people.

From the article:

"In Greek Mythology, Cerberus is the three-headed dog who stood guard over Hades. So why would marketers name a support desk app after a vicious canine responsible for tormenting damned souls trying to escape their frigid confines?"

Well I guess our first problem there, starting out, is we didn't have any marketers to slap the wrists of a bunch of programmers and tell them naming a project isn't a joke. ;) Our idea was that support was "hell", and we'd all rather be doing something else. Cerberus stood guard of our personal hell.

The thing is, we didn't start the project expecting 18,000 companies would be using it someday. We wrote the tool we needed and it clicked with a lot of people. Once we realized there was a need, we jumped on it -- but that was completely secondary to building the perfect tool for we needed.

That said, I think our community would have a fit if we tried to change the name at this point.

Levity aside, I'm not trying to make light of this situation. I'll extend my help to LT in making sure they're absolutely current on our updates. We've worked with them on scalability in the past, they know we're at their disposal.

-Jeff Standen, Chief of R&D

WebGroup Media LLC (Developers of Cerberus Helpdesk)

0
0
Anonymous Coward

Well done, Jeff Standen...

... if a few more companies were run the way that Jeff has outlined, the world would be a much better place. Taking it on the chin when things go wrong, describing what's being done to sort out the problem, outlining how things work to maximise the product's integrity and users' satisfaction, and posting promptly to get the correct information out quickly into the public domain... that's the way to do it!

{i have no connection with any of the companies or individuals involved]

0
0
Silver badge

Re: Couldn't the bank spot man-in-the-middle attack

So maybe we should let the programmers run a few more companies? ;)

0
0

@Jeff Standen

Admirable response. And for once not a word slandering the security researchers :) Good show.

0
0

Secunia Vulnerbilities Status Summary

Okay, here's the list of all seven of the Secunia vulnerabilities listed as Cerberus Helpdesk ( http://secunia.com/search/?search=cerberus -- Cerberus FTP Server is a different company and product), and what I've found out about them:

http://secunia.com/advisories/15641/ is 2.x only. I have confirmed that the vulnerability is not in current code.

http://secunia.com/advisories/17431/ is 2.x only. The 3.x attachment_send.php requires the correct thread_id to go with the file_id, and that combination would be difficult (though not impossible) to guess, since the thread_id is only ever exposed in tickets to which the user already has access. I've added a check to make sure that only a logged in user can access attachment_send.php.

http://secunia.com/advisories/18112/ is reported against 2.x, but some of the SQL injections had not been fixed. The XSS reported is not reproducible in 3.x. The SQL injections reported that had not previously been fixed have now been fixed.

http://secunia.com/advisories/18657/ is 2.x only. I have confirmed that the vulnerability is not in current code.

http://secunia.com/advisories/21706/ is 2.x and 3.x, but it was fixed in 3.2.

http://secunia.com/advisories/22418/ is 3.x, but was fixed in October of '06.

http://secunia.com/advisories/23193/ is 2.x and 3.x. The vulnerability is listed against spellwin.php, but spellcheck.php has the same problem. This is still (theoretically) present and might work if register_globals is on and the Moon is in the proper alignment with Mars, but I couldn't get them to pop up on my dev machine...

The fixes made today will be pushed to our public CVS repository ( http://cerberusweb.com/cvsweb.pl ) shortly.

-Hildy, Cerberus Helpdesk Developer

WebGroup Media LLC

0
0

Saw that on coming

I've been sending layered Tech reports for 4 weeks now that they had compromised systems that my Denyhost kept blocking, and I never got a response.

Now we know what else those systems were doing.

Cerberus: I had the mispleasure of being exposed to Cerberus at one contract where I was the escalation support for the Help Desk. Cerberus was the right name, but it was keeping the support staff *in* hell...

0
0

Sticks and stones.

Hey Curtis,

Opinions are so subjective, but such vitriol is rather unbecoming for anyone.

If you'd taken the time to visit our project site or forums and voice your concerns constructively, you'd also see we're very strong critics of our own inefficiencies and kludge when they're discovered. Sometimes you don't find such things until people are pushing the system in a way that wasn't anticipated, but should be supported.

Our 4.0 release is the result of a 9 month rewrite to address community concerns on usability, simplicity and efficiency in such environments. This is a 5 year old project, most everybody understands improvement is an ongoing, iterative thing based on their thoughts and feedback.

-Jeff Standen, Chief of R&D

WebGroup Media LLC (Developers of Cerberus Helpdesk)

0
0
This topic is closed for new posts.

Forums